John M. Harris Jr wrote:
To clarify a bit, the most common method of extracting a key from a
TPM
has been to simply desolder the TPM from the system and solder it onto
another system. This works with the popular implementations.
Surely that is not a process that you want to advertise to end users!
I stay by what I wrote: a TPM, or anything with the same security model, is
not an acceptable place for a LUKS key token. Either use a plain keyfile on
a removable USB mass storage stick, or if that does not provide acceptable
security in your setup, find another solution (such as a passphrase).
Kevin Kofler